Skip to main content

KeeneticOS CVE-2025-56007

MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2025-10-23 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 20:32 vuln.today

DescriptionCVE.org

CRLF-injection in KeeneticOS before 4.3 at "/auth" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.

AnalysisAI

CRLF injection in KeeneticOS before version 4.3 enables full device takeover by exploiting the /auth API endpoint to inject crafted HTTP headers that create additional administrator-level user accounts. The attack requires social engineering the device owner into visiting a malicious page, after which the injected CRLF sequences manipulate the API response to silently add a full-permission user the attacker controls. No public exploit has been identified at time of analysis, though a detailed writeup is publicly available on GitHub, which significantly lowers the barrier to weaponization.

Technical ContextAI

KeeneticOS is the embedded Linux-based firmware powering Keenetic-brand home and SOHO routers (CPE: cpe:2.3:o:keenetic:keeneticos:*:*:*:*:*:*:*:*). CWE-93 describes improper neutralization of CRLF sequences - carriage return (\r, 0x0D) and line feed (\n, 0x0A) characters that HTTP parsers use to delimit headers. When user-supplied input containing these sequences reaches the /auth API endpoint without sanitization, an attacker can inject synthetic HTTP headers or body content into the response stream, effectively forging server-side API behavior. In this case, the injected payload abuses the user management flow to provision a new account with elevated privileges, exploiting the trust the router firmware places in its own API responses.

RemediationAI

The vendor-released patch is KeeneticOS 4.3, which resolves the CRLF injection in the /auth endpoint. Administrators should upgrade to version 4.3 or later via the Keenetic firmware update mechanism immediately; the advisory at https://keenetic.com/global/security#october-2025-web-api-vulnerabilities provides update guidance. As a compensating control prior to patching, disable remote web interface access from untrusted networks and restrict management plane access to trusted LAN segments only - this does not eliminate the attack if the victim is on the LAN, but significantly reduces the attacker's ability to stage the malicious page in a position where the router's /auth endpoint is reachable. Additionally, advise users not to browse general web content while authenticated to the router admin interface. Note that restricting web UI access may interrupt legitimate remote management workflows.

Share

CVE-2025-56007 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy